That sounds very unlikely to me, but just to be sure:
Can a member of 'Domain Users' join a computer to the domain (granted that he has the local administrator account)?

The instructor said it, and it sounds very wrong.
I tested it and I got 'Access denied' when I tryied to supply a regular users credentials.
Am I missing something here?

Update:
You get Access Denied if you already have a computer with that name in AD. If you delete the account, any user with local Administrator account could join the computer, auto creating an account in AD. UNBELIEVABLE.

Personally, I don't find this a terrible concern. A domain member is subject to your domain's Group Policy. By joining their computer to your domain, the computer becomes subject to all of the applicable policies. This can include their loss of local administrative rights. It's up to you, the admin, to determine which policies you need to apply in your environment to make it "secure enough".
–
jscottSep 5 '11 at 17:11

4

To clarify, you need more than just a local administrator account - you do need a valid domain user account during the join operation.
–
Shane Madden♦Sep 5 '11 at 17:19

If this is a concern for you, it is quite possible to change the default location where new computer-objects are created. Set the GPO on that location to be very restrictive, such as disabling the local Administrator account, and by doing so users end up with a much more locked down workstation than they started with. Quite the disincentive.

The Microsoft view of this is that the user is opting into your security and domain policies by having the ability to join machines to the domain.